R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

April 27, 2003

FYI - Regulators Issue Guidance on the Risks of Weblinking  - Four financial services regulatory agencies today issued guidance to assist financial institutions in identifying and managing the potential risks involved in the use of weblinks. A weblink transports a viewer to a different part of a website or to another website.
www.occ.treas.gov/ftp/release/2003-33.htm
www.fdic.gov/news/news/press/2003/pr3403.html
www.fdic.gov/news/news/financial/2003/fil0330.html
www.ots.treas.gov/docs/77315.html
www.ncua.gov/news/press_releases/2003/Joint0423-.htm

WEB SITE AUDIT -
As a web site audit client, you know that we checked the weblinks on your site for functionality and appropriateness.  We will continue to study the new weblink guidelines and will adjust future web site audits accordingly.  

FYI- Banks offer sweeteners to paying bills online http://news.com.com/2100-1019-997610.html?tag=cd_mh 

FYI- Virus attack on PC downloaded porn - A man accused of having pornographic pictures of children on his PC was acquitted after a court heard that his machine was infected with a Trojan on his PC which probably auto-downloaded the images.  http://www.theinquirer.net/?article=9023 

FYI- A survey of the state of information security, as measured against ISO guidelines, shows plenty of room for improvement.  Is the problem a lack of overarching vision, a dearth of adequate resources or a little of both?  http://www.csoonline.com/read/040103/survey.html 

INTERNET COMPLIANCE Disclosures/Notices (Part 2 of 2)

In those instances where an electronic form of communication is permissible by regulation, to reduce compliance risk institutions should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery. Furthermore, financial institutions advertising or selling non-deposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance. 

INFORMATION SYSTEMS SECURITY
We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT


OVERVIEW

The quality of security controls can significantly influence all categories of risk. Traditionally, examiners and bankers recognize the direct impact on operational/transaction risk from incidents related to fraud, theft, or accidental damage. Many security weaknesses, however, can directly increase exposure in other risk areas. For example, the GLBA introduced additional legal/compliance risk due to the potential for regulatory noncompliance in safeguarding customer information. The potential for legal liability related to customer privacy breaches may present additional risk in the future. Effective application access controls can reduce credit and market risk by imposing risk limits on loan officers or traders. If a trader were to exceed the intended trade authority, the institution may unknowingly assume additional market risk exposure.

A strong security program reduces levels of reputation and strategic risk by limiting the institution's vulnerability to intrusion attempts and maintaining customer confidence and trust in the institution. Security concerns can quickly erode customer confidence and potentially decrease the adoption rate and rate of return on investment for strategically important products or services. Examiners and risk managers should incorporate security issues into their risk assessment process for each risk category. Financial institutions should ensure that security risk assessments adequately consider potential risk in all business lines and risk categories.

Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. An adequate assessment identifies the value and sensitivity of information and system components and then balances that knowledge with the exposure from threats and vulnerabilities. A risk assessment is a necessary pre-requisite to the formation of strategies that guide the institution as it develops, implements, tests, and maintains its information systems security posture. An initial risk assessment may involve a significant one-time effort, but the risk assessment process should be an ongoing part of the information security program.

Risk assessments for most industries focus only on the risk to the business entity. Financial institutions should also consider the risk to their customers' information. For example, section 501(b) of the GLBA requires financial institutions to “protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.”


INFORMATION SECURITY QUESTION:

A. AUTHENTICATION AND ACCESS CONTROLS
- Access Rights Administration

8. Determine if users are aware of the authorized uses of the system.

• Do internal users receive a copy of the authorized-use policy, appropriate training, and signify understanding and agreement before usage rights are granted?

• Is contractor usage appropriately detailed and controlled through the contract?


• Do customers and Web site visitors either explicitly agree to usage terms or are provided a disclosure, as appropriate?

PRIVACY
-We continue covering various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

Examination Objectives 

1. To assess the quality of a financial institution's compliance management policies and procedures for implementing the privacy regulation, specifically ensuring consistency between what the financial institution tells consumers in its notices about its policies and practices and what it actually does.

2. To determine the reliance that can be placed on a financial institution's internal controls and procedures for monitoring the institution's compliance with the privacy regulation.

3. To determine a financial institution's compliance with the privacy regulation, specifically in meeting the following requirements:

a)  Providing to customers notices of its privacy policies and practices that are timely, accurate, clear and conspicuous, and delivered so that each customer can reasonably be expected to receive actual notice; 
b)  Disclosing nonpublic personal information to nonaffiliated third parties, other than under an exception, after first meeting the applicable requirements for giving consumers notice and the right to opt out; 
c)  Appropriately honoring consumer opt out directions; 
d)  Lawfully using or disclosing nonpublic personal information received from a nonaffiliated financial institution; and
e)  Disclosing account numbers only according to the limits in the regulations.

4. To initiate effective corrective actions when violations of law are identified, or when policies or internal controls are deficient.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated